What is CVE-2022-48174?

CVE-2022-48174 is a critical vulnerability with a severity score of 9.8, affecting the ash component of Busybox software up to version 1.34. This stack overflow vulnerability can lead to arbitrary code execution, particularly in the environment of Internet of Vehicles.

Who is impacted by this?

Although the vulnerability was reported as fixed in version 1.35, some users have experienced the problem in version 1.36.1 when certain MATH variables are turned off. In summary, systems using Busybox software, especially those with the ash component, are at risk and should take necessary precautions to mitigate this vulnerability.

What should I do if I’m affected?

If you're affected by the CVE-2022-48174 vulnerability, take the following steps:

1. Update BusyBox to the latest version that includes the fix

2. Monitor the bug report for updates or patches

3. Apply the commit fix or the patch provided, if necessary

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2022-48174 vulnerability is not listed in CISA's Known Exploited Vulnerabilities Catalog. It is a stack overflow vulnerability in BusyBox's ash component, affecting versions up to 1.34. The vulnerability was published on August 22, 2023.

Weakness Enumeration

The weakness enumeration for this vulnerability is categorized as CWE-787, an out-of-bounds write issue in the ash component of Busybox software.

Learn More

CVE-2022-48174 is a critical vulnerability affecting BusyBox software, with potential consequences for systems using the ash component. For a comprehensive understanding of this vulnerability, including its description, severity, technical details, and known affected software configurations, refer to the NVD page or the resources listed below.

• NVD - CVE-2022-48174

• 15216 – There is a stack overflower in ash of busybox